Hacker Sells 5.4 million Twitter Users Data for $30,000

A Twitter security vulnerability discovered in January 2022 was used to glean the account details of 5.4 million users, and listed for sale on hackers' forums.

Back in January 2022, a hackerOne user “zhirinovskiy” submitted a bug report to Twitter, that leads an attacker to acquire the phone number and/or email address associated with Twitter accounts, even if the user has hidden these fields in the privacy settings.

Later, Twitter confirmed the vulnerability, and the bug hunter was rewarded with a $5,040 monetary reward for his findings. 

A user on the famous hacking forum, Breached Forums goes by the username 'devil', is now selling 5.4million Twitter users' accounts data allegedly acquired from exploiting the same vulnerability. The Breach Forums user selling the database for $30,000. According to the hacker post, the dataset includes “Celebrities, Companies, randoms, OGs, etc.”

The owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the vulnerability from the HackerOne report above. Hacker also posted a sample of the data in a CSV file, including people from around the world, with public profile information and the Twitter user’s email or phone number used with the account.

The Register reported that Twitter is investigating the above claim and checking the authenticity of the data. A Twitter spokesperson wrote in an email to The Register "We are reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question,". 

"We received a report of this incident several months ago through our bug bounty program, immediately investigated thoroughly, and fixed the vulnerability," the spokesperson said. "As always, we're committed to protecting the privacy and security of the people who use Twitter. We're grateful to the security community who engages in our bug bounty program to help us identify potential vulnerabilities such as this." the spokesperson further added.

The Twitter spokesperson did not respond to The Register's questions about whether the owners of the accounts in question have been notified, and what the company is doing to mitigate the issue.